[webkit-dev] innerStaticHTML
Maciej Stachowiak
mjs at apple.com
Wed Nov 25 12:30:58 PST 2009
On Nov 25, 2009, at 6:05 AM, Adam Barth wrote:
> On Tue, Nov 24, 2009 at 11:21 PM, Maciej Stachowiak <mjs at apple.com>
> wrote:
>> If we tie it to an element or attribute, people may be tempted to
>> just do it
>> in markup, which would be insecure.
>
> Maybe we should have a DOM API called
> webkitJailChildren("no-script-for-you") on Node that prevents future
> children from running script. Making it a DOM API prevents authors
> from trying to turn the feature on with markup.
Interesting idea. This seems potentially trickier to implement than
just innerStaticHTML, since nearly every method that mutates the DOM
will have to check jail status. innerStaticHTML could be limited in
scope to only operations that happen as part of parsing.
> On Tue, Nov 24, 2009 at 11:27 PM, Michal Zalewski
> <lcamtuf at google.com> wrote:
>> <span secure_mode="$random_server_generated_nonce">
>> ...unsanitized user content...
>> </span secure_mode="$random_server_generated_nonce">
>
> I'd rather not go this route in our initial implementation. I think
> we should target the use case of a web site receiving an untrusted
> string via cross-origin XMLHttpRequest or postMessage.
One obvious likely use case is for sites that wish to sanitize user-
generated content, for example comment sections of blogs.
innerStaticHTML is actually decent for that use case. Not quite as
nice as markup, but I'm wary of introducing parser complexity to
defend against hostile content that tries to prematurely close the jail.
Regards,
Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20091125/ea8b193f/attachment.html>
More information about the webkit-dev
mailing list